Reasons for EC2 Instances Not Reaching On-Premises DNS Server
Question
Your company has set EC2 Instances in a VPC.
These Instances have been configured to query an on-premises Data center DNS server.
But the Instances are not able to reach the on-premises server.
Which of the following could be a reason for this? Choose the best answer from the options given below.
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D. E.Answer - C.
In order to communicate with a DNS Server, the instance needs to reach the DNS server on port 53 for UDP.
Options A, D and E are invalid since this issue is with the outgoing traffic.
Option B is INCORRECT because TCP 53 is used for DNS zone transfers and should be allowed between trusted DNS servers.
For more information on NACLs, please refer to the below URL.
https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_ACLs.htmlThe reason why the EC2 Instances are not able to reach the on-premises server could be due to a network connectivity issue or a misconfiguration in the network. Let's look at each answer option to determine which one could be the most likely reason for the issue.
A. The Security Groups for the EC2 Instances are blocking incoming on port 53. This option seems less likely because the security groups control incoming traffic, and the problem is with outgoing traffic. So, it is less likely that the security groups are blocking outgoing traffic on port 53.
B. The NACLs are blocking outgoing on port 53 for TCP. C. The NACLs are blocking outgoing on port 53 for UDP. NACLs control both incoming and outgoing traffic, and they are stateless, which means that if a rule is applied to allow traffic, then the return traffic is not automatically allowed. Both options B and C specify that outgoing traffic on port 53 is blocked. DNS queries usually use UDP, so it is more likely that option C is the correct answer.
D. The NACLs are blocking incoming on port 53 for TCP. E. The NACLs are blocking incoming on port 53 for UDP. Incoming traffic is not relevant in this scenario because the EC2 Instances are trying to reach an on-premises server, which means that they are initiating the traffic. Hence, it is unlikely that the NACLs are blocking incoming traffic.
Therefore, based on the above analysis, the most likely reason for the EC2 Instances not being able to reach the on-premises server is option C: The NACLs are blocking outgoing on port 53 for UDP. To resolve the issue, you would need to modify the NACL rules to allow outgoing traffic on port 53 for UDP.
